Hello, I'm Maneshwar. I'm building git-lrc, an AI code reviewer that runs on every commit. It is free, unlimited, and source-available on Github. Star Us to help devs discover the project. Do give it a try and share your feedback for improving the product.
Temporary directories like/tmp are often exploited by attackers or malware to drop executables,scripts, or encoded payloads.
Left unchecked, these files can be executed automatically or manually, leading to compromised systems.
This guide will explain how to find, analyze, and safely remove suspicious files, and prevent future attacks.
1. Understanding /tmp and Suspicious Artifacts
Linux uses /tmp as a writable directory for temporary files. Normally, it contains:
-
.X11-unix,.ICE-unix— X11 sockets -
.font-unix— font cache - Application caches (e.g.,
node-compile-cache,v8-compile-cache-*)
Suspicious files often include:
- Randomly named binaries:
ECRXk,zImZT - Base64-encoded payloads:
SKMIC.b64,ofMnf.b64 - Obfuscated scripts:
lrops.sh.backup* - Malicious plugins:
plugin<number>
These could be used for:
- Running malware or crypto miners
- Maintaining backdoors
- Exfiltrating data
- Creating persistence on reboot
2. Detecting Suspicious Files
Use ls and file commands to identify unusual files:
cd /tmp
ls -A | grep -vE '^mcfly\.|^systemd-private-'
This lists all files except normal system or application temp files.
Check the file type:
file ECRXk SKMIC.b64 ofMnf.b64
- ELF executables: Statically linked, often dropped by attackers
- ASCII text / Base64: Encoded payloads for hiding executables or scripts
Preview the content without executing:
head -n 20 ECRXk
base64 -d SKMIC.b64 | head -n 20
3. Checking Running Processes
Some of these temporary files might already be executing. Use:
ps aux | grep -E 'kcached|node-compile-cache|plugin'
Look for processes running from /tmp — legitimate applications rarely run from /tmp.
4. Checking Logs for Suspicious Activity
SSH logs, system logs, and cron logs can reveal unauthorized activity:
# Failed or successful SSH logins
sudo grep "Accepted" /var/log/auth.log*
# Deleted files still in use
sudo journalctl | grep deleted
# Cron jobs
sudo ls -l /etc/cron.*
5. Cleaning Up Suspicious Files
Remove any suspicious files safely:
sudo rm -f /tmp/ECRXk /tmp/SKMIC.b64 /tmp/ofMnf.b64 /tmp/Ncaq5gszlR
sudo rm -f /tmp/lrops.sh.backup* /tmp/pgrestore /tmp/zImZT
sudo rm -f /tmp/plugin*
Check /tmp again to confirm:
ls -A /tmp | grep -vE '^mcfly\.|^systemd-private-'
6. Checking for Persistence
Attackers may try to survive reboots using:
-
Cron jobs: Check
/etc/cron.*directories -
Systemd services:
systemctl list-units --type=service -
User shell scripts:
.bashrc,.profile,.bash_profile
Example to check user cron jobs:
for u in $(cut -d: -f1 /etc/passwd); do
echo "Cron jobs for $u:"
crontab -l -u $u 2>/dev/null
done
7. Preventing Future Infections
-
Restrict
/tmpexecution:
mount -o remount,noexec,nosuid,nodev /tmp
- Audit cron jobs and user keys:
sudo for u in $(cut -d: -f1 /etc/passwd); do cat ~$u/.ssh/authorized_keys; done
-
Regular log reviews:
journalctl,auth.log -
Install malware scanners: e.g.,
Lynis,rkhunter,chkrootkit
8. Conclusion
Temporary directories can be exploited for persistent malware.
Regular monitoring of /tmp, checking file types, reviewing logs, and removing suspicious files are essential to secure your Linux system.
By following the steps in this guide, you can detect, analyze, and safely remove hidden threats like kcached, encoded binaries, or rogue plugins.
*AI agents write code fast. They also silently remove logic, change behavior, and introduce bugs -- without telling you. You often find out in production.
git-lrc fixes this. It hooks into git commit and reviews every diff before it lands. 60-second setup. Completely free.*
Any feedback or contributors are welcome! It's online, source-available, and ready for anyone to use.
⭐ Star it on GitHub:
HexmosTech
/
git-lrc
Free, Unlimited AI Code Reviews That Run on Commit
git-lrc
Free, Unlimited AI Code Reviews That Run on Commit
AI agents write code fast. They also silently remove logic, change behavior, and introduce bugs -- without telling you. You often find out in production.
git-lrc fixes this. It hooks into git commit and reviews every diff before it lands. 60-second setup. Completely free.
See It In Action
See git-lrc catch serious security issues such as leaked credentials, expensive cloud operations, and sensitive material in log statements
git-lrc-intro-60s.mp4
Why
- 🤖 AI agents silently break things. Code removed. Logic changed. Edge cases gone. You won't notice until production.
- 🔍 Catch it before it ships. AI-powered inline comments show you exactly what changed and what looks wrong.
- 🔁 Build a habit, ship better code. Regular review → fewer bugs → more robust code → better results in your team.
- 🔗 Why git? Git is universal. Every editor, every IDE, every AI…
Top comments (0)